UMA Release Notes
...
Previously, little was said about privacy implications of requesting party claims being transmitted to the AS. Now this section has been greatly expanded. (211) (Core Sec 8.2)
Changes Affecting Resource Server (+Client) Implementations
Following are specification changes in V1.0.1 that affect resource servers, and possibly clients that interact with them as well (denoted with (+Client) in the title).
...
Previously, the security considerations around accepting policy-setting context information from an incompletely trusted AS were not covered. Now they cover the user_access_policy_uri property, which is the only policy-setting context information passed from AS to RS. (185) (RSR Sec 4)
Specification Reorganizations
The specifications, particularly Core Sec 3, were reorganized in the fashion of OpenID Connect, with the goal of giving a subsection to every request and response message. Other notable changes include:
- Several “commentary” subsections were added, such as Core Sec 3.2.2 discussing permission ticket creation and management, and RSR Sec 2.1.2 discussing scope interpretation.
- A new section, Core Sec 9.2, registers the permissions property in the new OAuth token introspection IANA registry (this is in addition to its registration in the JWT claims registry).
- Core Sec 7.4.1 breaks out the new, more extensive security considerations discussion of pushed claims.
- Core Sec 8 now has subsections to make privacy considerations easier to find and understand.
V1.0 sections (black) are presented in original Table of Contents order, mapped to their corresponding draft V1.0.1 sections (green).
Core Specification Reorganization
Found in Core V1.0 (go)
Find in Core draft V1.0.1 (go)
3.1 Client Attempts Access to Protected Resource (go)
3.1 Client Attempts Access to Protected Resource (go)
3.1.1 Client Request to Resource Server With No RPT (go)
3.1.1 Client Request to Resource Server With No RPT
3.3 Resource Server Responds to Client
3.3.1 Resource Server Response to Client on Permission Registration Success
3.3.2 Resource Server Response to Client on Permission Registration Failure
3.1.2. Client Presents RPT (go)
3.1.2 Client Request to Resource Server With RPT (go)
3.3 Resource Server Responds to Client (go)
3.3.1 Resource Server Response to Client on Permission Registration Success
3.3.2 Resource Server Response to Client on Permission Registration Failure
3.3.3 Resource Server Response to Client on Sufficiency of Authorization
3.2. Resource Server Registers Requested Permission With Authorization Server (go)
3.2 Resource Server Registers Requested Permission With Authorization Server (go)
3.2.1 Resource Server Request to Permission Registration Endpoint
3.2.2 Permission Ticket Creation and Management
3.2.3 Authorization Server Response to Resource Server on Permission Registration Success
3.2.4 Authorization Server Response to Resource Server on Permission Registration Failure
3.3. Resource Server Determines RPT's Status (go)
3.3.1. Token Introspection
3.3.2. RPT Profile: Bearer
3.4 Resource Server Determines RPT Status (go)
3.4.1 Token Introspection Process
3.4.2 RPT Profile: Bearer
3.4. Client Seeks Authorization for Access (go)
3.5 Client Seeks Authorization for Access (go)
3.4.1. Client Requests Authorization Data (go)
3.5.1 Client Request to Authorization Server for Authorization Data (go)
3.5.2 Authorization Assessment Process
3.5.3 Authorization Server Response to Client on Authorization Success
3.5.4 Authorization Server Response to Client on Authorization Failure
3.4.1.1. Authentication Context Flows (go)
3.6 Client Responds to Authorization Server's Request for Additional Information (go)
3.6.1 Client Redirects Requesting Party to Authorization Server for Authentication
3.4.1.2. Claims-Gathering Flows (go)
3.6 Client Responds to Authorization Server's Request for Additional Information (go)
3.6.2 Client Pushes Claim Tokens to Authorization Server (go)
3.6.3 Client Redirects Requesting Party to Authorization Server for Claims-Gathering
4. Error Messages (go)
4.1. OAuth Error Responses
4.2. UMA Error Responses
4. Error Messages (go)
4.1 OAuth Error Responses
4.2 UMA Error Responses
5. Profiles for API Extensibility (go)
5.1. Protection API Extensibility Profile
5.2. Authorization API Extensibility Profile
5.3. Resource Interface Extensibility Profile
5. Profiles for API Extensibility (go)
5.1 Protection API Extensibility Profile
5.2 Authorization API Extensibility Profile
5.3 Resource Interface Extensibility Profile
6. Specifying Additional Profiles (go)
6.1. Specifying Profiles of UMA
6.2. Specifying RPT Profiles
6.3. Specifying Claim Token Format Profiles
6. Specifying Additional Profiles (go)
6.1 Specifying Profiles of UMA
6.2 Specifying RPT Profiles
6.3 Specifying Claim Token Format Profiles
7. Compatibility Notes (go)
n/a
8. Security Considerations (go)
7. Security Considerations (go)
8.1. Redirection and Impersonation Threats (go)
7.1 Requesting Party Redirection and Impersonation Threats (go)
8.2. Client Authentication (go)
7.2 Client Authentication (go)
8.3. JSON Usage (go)
7.3 JSON Usage (go)
8.4. Profiles, Binding Obligations, and Trust Establishment (go)
7.4 Profiles and Trust Establishment (go)
n/a
7.4.1 Requirements for Trust When Clients Push Claim Tokens (go)
9. Privacy Considerations (go)
8. Privacy Considerations (go)
8.1 Resource Set Information at the Authorization Server
8.2 Requesting Party Information at the Authorization Server
8.3 Profiles and Trust Establishment
10. IANA Considerations (go)
9. IANA Considerations (go)
10.1. JSON Web Token Claims Registration (go)
10.1.1. Registry Contents
9.1 JSON Web Token Claims Registration (go)
9.1.1 Registry Contents
n/a
9.2 OAuth Token Introspection Response Registration (go)
9.2.1 Registry Contents
10.2. Well-Known URI Registration (go)
10.2.1. Registry Contents
9.3 Well-Known URI Registration (go)
9.3.1 Registry Contents
11. Acknowledgments (go)
10. Acknowledgments (go)
12. References (go)
12.1. Normative References
12.2. Informative References
11. References (go)
11.1 Normative References
11.2 Informative References
...